笔记如下libvirt 基于tcp验证
使用virsh连接到别的服务器时,使用的是tcp连接

virsh -c qemu+tcp://host/system

如果目标服务器没有开启libvirtd的tcp端口监听时,会出现

error: unable to connect to server at 'host:16509': Connection refused
error: failed to connect to the hypervisor

ubuntu下解决方法

sed -i 's/#listen_tls = 0/listen_tls = 0/g' /etc/libvirt/libvirtd.conf
sed -i 's/#listen_tcp = 1/listen_tcp = 1/g' /etc/libvirt/libvirtd.conf
sed -i 's/#auth_tcp = "sasl"/auth_tcp = "none"/g' /etc/libvirt/libvirtd.conf

centos下解决方法

sed -i 's/#listen_tls = 0/listen_tls = 0/g' /etc/libvirt/libvirtd.conf
sed -i 's/#listen_tcp = 1/listen_tcp = 1/g' /etc/libvirt/libvirtd.conf
sed -i 's/#auth_tcp = "sasl"/auth_tcp = "none"/g' /etc/libvirt/libvirtd.conf
sed -i 's/#LIBVIRTD_ARGS="--listen"/LIBVIRTD_ARGS="--listen"/g' /etc/sysconfig/libvirtd
service libvirtd restart

参考文档Linux下开启Libvirtd的tcp监控

http://blog.chinaunix.net/uid-22166872-id-4170148.html

修改认证配置

vi  /etc/sasl2/libvirt.conf
mech_list: digest-md5
sasldb_path: /etc/libvirt/passwd.db

创建认证用户
mercury:~ # saslpasswd2 -a libvirt admin # add user admin
Password:
Again (for verification):
mercury:~ # sasldblistusers2 -f /etc/libvirt/passwd.db # list users
admin@mercury.example.com: userPassword
mercury:~ # saslpasswd2 -a libvirt -d foxchan # delete user foxchan

测试账号

[root@aws10011 ~]# virsh -c qemu+tcp://127.0.0.1/system?no_verify=1 nodeinfo
Please enter your authentication name: admin
Please enter your password: 
CPU model:           x86_64
CPU(s):              4
CPU frequency:       1332 MHz
CPU socket(s):       1
Core(s) per socket:  4
Thread(s) per core:  1
NUMA cell(s):        1
Memory size:         16471716 KiB

###其他资料如下
http://www.voidcn.com/article/p-hmtlzzky-brm.html

Username and Password Authentication with SASL

SASL provides username and password authentication as well as data encryption (digest-md5, by default).

Since SASL maintains its own user database, the users do not need to exist on the VM Host Server.

SASL is required by TCP connections and on top of TLS/SSL connections.

To configure SASL authentication, proceed as follows:
修改 /etc/libvirt/libvirtd.conf :

#To enable SASL for TCP connections:
auth_tcp = "sasl"

#To enable SASL for TLS/SSL connections:
auth_tls = "sasl"
重启libvirtd

systemctl restart libvirtd
The libvirt SASL configuration file is located at /etc/sasl2/libvirtd.conf. Normally, there is no need to change the defaults. However, if using SASL on top of TLS, you may turn off session encryption to avoid additional overhead— TLS connections are already encrypted— by commenting the mech_list. For TCP connections this parameter must be set to digest-md5:

mech_list: digest-md5 # mandatory for TCP connections #mech_list: digest-md5 # apply default (username+password) TLS/SSL only! By default, no SASL users are configured, so no logins are possible. Use the following commands to add, list, and delete users:

mercury:~ # saslpasswd2 -a libvirt foxchan                  # add user foxchan
Password: 
Again (for verification): 

mercury:~ # sasldblistusers2 -f /etc/libvirt/passwd.db    # list users
foxchan@mercury.example.com: userPassword
mercury:~ # saslpasswd2 -a libvirt -d foxchan                        # delete user foxchan
如果使用qemu+tcp://连接,则应该enable digest-md5,这样交互会被加密。 如果使用qemu+tls://连接,则应该disable digest-md5,这样交互就不会被md5加密一次,然后再被TLS加密一次 修改/etc/libvirt/libvirtd.conf

listen_tls = 1

listen_tcp = 1

#对于unix socket我们不auth

auth_unix_ro = "none"

auth_unix_rw = "none"

tls_port = "16514"

tcp_port = "16509"

#属于这个group的则放行

unix_sock_group = "libvirtd"

unix_sock_ro_perms = "0777"

unix_sock_rw_perms = "0770"

#对于tcp或者tls则auth

auth_tcp = "sasl"

#对于tls需要configure下面的

auth_tls = "sasl"

key_file = "/etc/pki/libvirt/private/serverkey.pem"

cert_file = "/etc/pki/libvirt/servercert.pem"

ca_file = "/etc/pki/CA/cacert.pem"
创建key和certificate

/////////////////////////////Create the Certificate Authority Certificate

cat certificate_authority_template.info
cn = libvirt.org ca cert_signing_key

apt-get install gnutls-bin

(umask 277 && certtool --generate-privkey > certificate_authority_key.pem)

cat certificate_authority_key.pem
-----BEGIN RSA PRIVATE KEY----- MIIFfQIBAAKCATEA6VlhWPP0oNt6wVdIXMQZWiyzUc8sNzFkP1K86vgb2z/tlX3B D1bNTCHVo/2TeCmHyv4ae3kBxmnB0YST928Yh/lbn3q4wayrqIwf/MnY9Sm16h7j P53x/1aD6u1IMKxh5TlGIlOXVwlsbFjef/Wl2EZGeRlNvm8c0Cwci+8cvsqWXofv NoN6mxseAxhxYHD1cxsR5gE+h0O5eqpLAZkhaXZOIg7mpbwjSNkErR5Wt5CLAbu7 cqr5PLqxmirTRd7ThIJOQAfaH+m3RzuWbeD4G7DBmNDfm8n5xtkyWEOOmuZqp2+p wt/IYHuH9dH0JRrEPLsX/oOhBkiLpRqzAJHZJiqNc9zloYWkGikfHcH7FE9Rj0uc GRVJfN49DstHhLb/0t0eKtZ3WRjfwYI5pA9HUQIDAQABAoIBMBSyITCm/mDP5nzE VX4oxEjboxHT6ouAnXACUhAS7kGNU3CJRTirjay9aXnQcSZcpJcL32RpEI+87Hw9 InR1DXtt0cL8uusuedEKkIG2kz/3MZOwpp4LT53CWhPZdKggedQ/NqmvuUH2a3/W h/FYY5uha/mslVkY+Li72NJOZEHFrP14V+6BTbv49Tn4DoIrspFBat536MhNPYhj FNAS7BMqPCx8t/51b8jUuM+TITItuG24bdMsy67w3Xc2Xi3pdS7rc67b31TUMiD7 G0C3uPtNr7uSKVGH6NPDyWZvWgraN91Ls76qIt+felwBBF0uPPIuV8Vr30z0M+MQ GJNoxtFwwG9q+sQpb38MKbx0e6Vbuig9Mp44i2T6B/zFlf1Wt8hyYYXgbno8B7zZ TjklO7kCgZkA8l86tIPD6+d5E9HhBLeZwxuSdZuXigqDjgqztuvzxhWyESnRykZI /0yZcv/haFWpbLYtOcspNxaea34yxwY3saf89M/7mQmAJDAE1OwgOZEu0+CQ83fy pL9byKPH++lUYkZEjlvfTOoLMxDajGLhT6dsW3G6WvAfucX8EoAQaDAHbadyLNLP J661EQ1s+IDLaFNqTRdawc0CgZkA9nhGBkQPYh6Xq/TWuOV1+wrVbZrPrcQnrGm0 HR6i/YUKlzr/PHjq8BpfcA7oW4R2uvTkKIpc81Z6TFvwIYneMjOT2TFOnFmQQr6F lfOJHnd2XnEy+xMAb0b3aiSZChbgLE9EnnGuHIg/a/8Z8pL/VnmUO3a6ZEWZHomW O5nkjCRd6ed86/f4C/j8sTUyg6NoF3zYkKJPZ5UCgZkAqdDrMts3hKvz+10MCeAS Dc/duCVB8egX8IezDzEW5e0BjGD+qnjAYI/s29RIvG94e8DQwzODNyPT74DGVwgW MZV/+I9YuwsbCz/RwtWGZo9AfhdTuCKMkb25s0R9tBTxmMGe+xeHxz4chrUCS2Zk cwjdNNzkMx8XO3RqfxPXawhry/qMVreFiUoxdzcu6JZk7j2ztzvrzOkCgZkAxDAy 1TQB5sGhS6CF9wG36w/RmgBcBd6ZEfXGCFPlu9XV+1Fb7//0SxFDHMjRDmAfvmvG 3bpdiNkyWmvodlnvA5jovD8yauQkH+zWGumTISxIjZ6fzRlwBCPCN7xQEabp5Hto jJLC3DVb/pQ+TEfUdjoq0zaL4dtAqf0tF95E/YTJOLIqTw7AZI9aXZiR0BUXe3LG VELO4A0CgZkAwF78LboWjR9+LGrXu0taaoLymhxltpC81BRWEXjPZ3rj0IEMxITw 9mQAMXdJzXiARoIu/sarLb/wphVSia2QO8x0Q65De526jUUCZjP/wYgl0X8S7Mu+ r3FcApmGyoh+Vy8txyV3uJVh5xbsxF60fSenswQd+VPdJ01XJCbnLbVFH/5iQw4a NzjF/UlXfBI0/NMSIYP5DnQ= -----END RSA PRIVATE KEY-----

root@popsuper1982:/home/cliu8/keys/certtool# ls -la certificate_authority_key.pem -r-------- 1 root root 1972 Jul 15 22:28 certificate_authority_key.pem

certtool --generate-self-signed --template certificate_authority_template.info --load-privkey certificate_authority_key.pem --outfile certificate_authority_certificate.pem
certtool --generate-self-signed --template certificate_authority_template.info --load-privkey certificate_authority_key.pem --outfile certificate_authority_certificate.pem
Generating a self signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 53c53b4d Validity: Not Before: Tue Jul 15 14:31:41 UTC 2014 Not After: Wed Jul 15 14:31:41 UTC 2015 Subject: CN=libvirt.org Subject Public Key Algorithm: RSA Certificate Security Level: Normal Modulus (bits 2432): 00:e9:59:61:58:f3:f4:a0:db:7a:c1:57:48:5c:c4:19 5a:2c:b3:51:cf:2c:37:31:64:3f:52:bc:ea:f8:1b:db 3f:ed:95:7d:c1:0f:56:cd:4c:21:d5:a3:fd:93:78:29 87:ca:fe:1a:7b:79:01:c6:69:c1:d1:84:93:f7:6f:18 87:f9:5b:9f:7a:b8:c1:ac:ab:a8:8c:1f:fc:c9:d8:f5 29:b5:ea:1e:e3:3f:9d:f1:ff:56:83:ea:ed:48:30:ac 61:e5:39:46:22:53:97:57:09:6c:6c:58:de:7f:f5:a5 d8:46:46:79:19:4d:be:6f:1c:d0:2c:1c:8b:ef:1c:be ca:96:5e:87:ef:36:83:7a:9b:1b:1e:03:18:71:60:70 f5:73:1b:11:e6:01:3e:87:43:b9:7a:aa:4b:01:99:21 69:76:4e:22:0e:e6:a5:bc:23:48:d9:04:ad:1e:56:b7 90:8b:01:bb:bb:72:aa:f9:3c:ba:b1:9a:2a:d3:45:de d3:84:82:4e:40:07:da:1f:e9:b7:47:3b:96:6d:e0:f8 1b:b0:c1:98:d0:df:9b:c9:f9:c6:d9:32:58:43:8e:9a e6:6a:a7:6f:a9:c2:df:c8:60:7b:87:f5:d1:f4:25:1a c4:3c:bb:17:fe:83:a1:06:48:8b:a5:1a:b3:00:91:d9 26:2a:8d:73:dc:e5:a1:85:a4:1a:29:1f:1d:c1:fb:14 4f:51:8f:4b:9c:19:15:49:7c:de:3d:0e:cb:47:84:b6 ff:d2:dd:1e:2a:d6:77:59:18:df:c1:82:39:a4:0f:47 51 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Key Usage (critical): Certificate signing. Subject Key Identifier (not critical): f113e5356c2b30271aa1f1bb6183676edee28ed7 Other Information: Public Key Id: f113e5356c2b30271aa1f1bb6183676edee28ed7

Signing certificate...

cat certificate_authority_certificate.pem
-----BEGIN CERTIFICATE----- MIIDTTCCAgWgAwIBAgIEU8U7TTANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwts aWJ2aXJ0Lm9yZzAeFw0xNDA3MTUxNDMxNDFaFw0xNTA3MTUxNDMxNDFaMBYxFDAS BgNVBAMTC2xpYnZpcnQub3JnMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKC ATEA6VlhWPP0oNt6wVdIXMQZWiyzUc8sNzFkP1K86vgb2z/tlX3BD1bNTCHVo/2T eCmHyv4ae3kBxmnB0YST928Yh/lbn3q4wayrqIwf/MnY9Sm16h7jP53x/1aD6u1I MKxh5TlGIlOXVwlsbFjef/Wl2EZGeRlNvm8c0Cwci+8cvsqWXofvNoN6mxseAxhx YHD1cxsR5gE+h0O5eqpLAZkhaXZOIg7mpbwjSNkErR5Wt5CLAbu7cqr5PLqxmirT Rd7ThIJOQAfaH+m3RzuWbeD4G7DBmNDfm8n5xtkyWEOOmuZqp2+pwt/IYHuH9dH0 JRrEPLsX/oOhBkiLpRqzAJHZJiqNc9zloYWkGikfHcH7FE9Rj0ucGRVJfN49DstH hLb/0t0eKtZ3WRjfwYI5pA9HUQIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8G A1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFPET5TVsKzAnGqHxu2GDZ27e4o7XMA0G CSqGSIb3DQEBCwUAA4IBMQBYPjJmkdduz+ZjoOb/4TLrRd7vt+dv88/uW1YGO5v8 doYBOGbo/KKp0bq//TDs8ILl666wu0VeXOSTvvGn6vhVAzttqWmtDgKzvs5E9KGE N+7O7vPvPooLdKo1hXkXp7S3VrAenHbyqXAff/zV8jzDZkeEtaGJ1vlMs4pz3owU nMX9ndojP4aXdq9B+ny1RyYPGofL7zpjgwocc/ubBgu1iRtDN4emHarnjZM6fHkN HV8QlZgBAoObChXs+zSws/nkkS+FPFBGfJSwSjn6AmmGsBHo0KTmN+tkoNZlg6YN tYHjllz34D5BH5hOmIeEQNSspFdhbE3aK9AqYOHEM99nhDKxiiKhKVgrux3WaiJi yhanGVlwILFiFtoY/6rREIa88jWB1Lxjg88XqlNelqky -----END CERTIFICATE-----

# ls -la certificate_authority_certificate.pem
-r-------- 1 root root 1204 Jul 15 22:31 certificate_authority_certificate.pem

# cp certificate_authority_certificate.pem /etc/pki/CA/cacert.pem

chmod 444 /etc/pki/CA/cacert.pem

scp -r certificate_authority_certificate.pem cliu8@16.158.166.197:/home/cliu8/

on 16.158.166.197
cp certificate_authority_certificate.pem /etc/pki/CA/cacert.pem
/////////////////////////Creating Transport Layer Security Server Certificates for libvirt

cat popsuper1982_server_template.info
organization = libvirt.org cn = popsuper1982 tls_www_server encryption_key signing_key

(umask 277 && certtool --generate-privkey > popsuper1982_server_key.pem)

(umask 277 && certtool --generate-privkey > popsuper1982_server_key.pem)
Generating a 2432 bit RSA private key...

certtool --generate-certificate --template popsuper1982_server_template.info --load-privkey popsuper1982_server_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile popsuper1982_server_certificate.pem
certtool --generate-certificate --template popsuper1982_server_template.info --load-privkey popsuper1982_server_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile popsuper1982_server_certificate.pem
Generating a signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 53c55255 Validity: Not Before: Tue Jul 15 16:09:57 UTC 2014 Not After: Wed Jul 15 16:09:57 UTC 2015 Subject: O=libvirt.org,CN=popsuper1982 Subject Public Key Algorithm: RSA Certificate Security Level: Normal Modulus (bits 2432): 00:ca:e5:92:4f:d8:14:f4:e2:26:26:88:5a:b4:fd:0e ee:86:c6:e8:15:b2:4f:36:6d:8a:b1:23:75:80:b1:0a 72:e0:6c:a0:06:ce:03:43:12:2c:6f:e9:ee:bf:21:d2 93:82:02:74:14:50:17:fc:f8:21:ec:a6:66:29:9f:d7 c3:63:35:50:82:f2:30:9a:12:3b:3e:5a:d1:68:29:7a eb:18:10:7a:69:f8:0b:aa:1a:d9:2d:8b:e4:b3:1b:81 c7:de:a8:9f:08:1d:d0:85:db:af:cc:08:00:9b:c1:5a 31:f8:9a:43:01:42:88:11:91:35:73:df:57:b9:ce:83 34:91:70:ee:29:4b:88:dd:f2:7a:16:1d:c1:36:4d:8b 28:7b:05:ba:42:b1:63:8a:92:f8:3d:0c:d1:a2:d8:24 92:29:de:c7:8a:73:1d:1e:ec:d3:72:4a:7e:7a:a1:43 85:fa:85:ab:58:a3:67:03:4a:48:62:04:b3:f4:8e:f5 f0:16:fb:24:28:75:d7:1d:43:52:bc:08:9d:3e:d0:38 7d:36:9b:1b:f5:81:0c:17:fd:ba:1b:10:bb:1b:69:cf eb:c1:54:4e:99:ed:ff:15:71:11:9a:63:31:9d:0f:7b b2:31:a2:4c:49:2a:ee:d1:3c:80:c0:98:e0:6c:63:6b 52:9a:b5:d6:0b:6c:34:13:86:d6:ab:c4:4d:9a:ff:ae be:60:b2:a7:e3:3d:b4:63:05:d3:f0:f9:69:01:35:97 1c:52:48:24:75:b5:73:96:b5:fb:bc:8e:2e:62:7c:5c 17 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Server. Key Usage (critical): Digital signature. Key encipherment. Subject Key Identifier (not critical): 0570b6cf340118f7d44dd67c0ca6ffbbb7a4871c Authority Key Identifier (not critical): f113e5356c2b30271aa1f1bb6183676edee28ed7 Other Information: Public Key Id: 0570b6cf340118f7d44dd67c0ca6ffbbb7a4871c

Signing certificate...

cp popsuper1982_server_certificate.pem /etc/pki/libvirt/servercert.pem

cp popsuper1982_server_key.pem /etc/pki/libvirt/private/serverkey.pem
///////////////////////Creating Transport Layer Security Client Certificates for libvirt

# cat escto-bj-hp-z620_client_template.info 
country = CN
state = Beijing
locality = Beijing
organization = libvirt.org
cn = escto-bj-hp-z620
tls_www_client
encryption_key
signing_key
(umask 277 && certtool --generate-privkey > escto-bj-hp-z620_client_key.pem)

(umask 277 && certtool --generate-privkey > escto-bj-hp-z620_client_key.pem) Generating a 2432 bit RSA private key...

certtool --generate-certificate --template escto-bj-hp-z620_client_template.info --load-privkey escto-bj-hp-z620_client_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile escto-bj-hp-z620_client_certificate.pem

certtool --generate-certificate --template escto-bj-hp-z620_client_template.info --load-privkey escto-bj-hp-z620_client_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile escto-bj-hp-z620_client_certificate.pem Generating a signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 53c55678 Validity: Not Before: Tue Jul 15 16:27:36 UTC 2014 Not After: Wed Jul 15 16:27:36 UTC 2015 Subject: C=CN,O=libvirt.org,L=Beijing,ST=Beijing,CN=escto-bj-hp-z620 Subject Public Key Algorithm: RSA Certificate Security Level: Normal Modulus (bits 2432): 00:9f:5c:d7:89:2c:0b:fe:e7:38:21:1d:2a:da:92:eb 82:91:96:3c:f3:22:28:a3:d6:3d:70:68:27:a1:2b:3a 3e:79:03:55:ea:1b:eb:1f:81:90:71:3d:41:4c:99:f2 96:46:22:e0:33:91:bb:5b:38:83:a5:3f:d7:0a:25:dd f0:90:cf:0d:4a:18:b3:0d:db:01:5f:70:78:1b:63:01 ac:6f:32:8b:79:cc:51:0f:d4:45:1e:6f:b8:d8:84:57 af:ca:e8:3e:58:0a:79:89:0d:99:e2:8a:b2:2c:85:dc 40:15:7c:52:9b:46:66:a0:0f:6c:52:7d:e8:1b:b4:06 5a:d9:7f:30:84:d0:37:66:2a:3f:53:50:33:99:93:b7 8d:a2:74:cd:4d:ca:76:b5:df:2f:47:f9:e2:1a:7b:91 49:20:be:c9:ca:9b:f1:2c:f1:40:1a:66:37:2e:ac:23 3f:3d:44:de:0f:2d:d2:60:63:22:2d:49:28:98:c0:b7 9f:70:be:51:b8:d3:10:1d:40:3d:3e:6f:1a:f1:a2:1b 5c:2e:68:8b:05:99:7b:0b:5c:9c:78:54:8f:de:ae:7e 75:6d:fb:af:cc:ea:3c:be:9d:25:57:d1:3d:ef:27:66 c3:93:2f:62:f0:43:31:64:df:df:20:b6:b8:df:8a:85 77:38:9b:3d:85:e1:67:1b:e6:b4:9b:e0:30:4e:6c:62 c1:07:72:57:ad:bc:fc:f0:0c:d8:d4:12:ac:eb:80:ee 04:b2:b0:10:e4:d6:71:68:2b:ee:e6:98:23:9a:df:c7 95 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Client. Key Usage (critical): Digital signature. Key encipherment. Subject Key Identifier (not critical): f4385711f8089b39ba2c13869aa816114d378190 Authority Key Identifier (not critical): f113e5356c2b30271aa1f1bb6183676edee28ed7 Other Information: Public Key Id: f4385711f8089b39ba2c13869aa816114d378190

Signing certificate...

root@popsuper1982:/home/cliu8/keys/certtool# scp escto-bj-hp-z620_client_certificate.pem cliu8@16.158.166.197:/home/cliu8/ cliu8@16.158.166.197's password: escto-bj-hp-z620_client_certificate.pem 100% 1379 1.4KB/s 00:00
root@popsuper1982:/home/cliu8/keys/certtool# scp escto-bj-hp-z620_client_key.pem cliu8@16.158.166.197:/home/cliu8/
cliu8@16.158.166.197's password: escto-bj-hp-z620_client_key.pem 100% 1968 1.9KB/s 00:00

修改/etc/hosts文件

16.158.166.150 popsuper1982 16.158.166.197 escto-bj-hp-z620

修改/etc/default/libvirt-bin

#cat /etc/default/libvirt-bin

Defaults for libvirt-bin initscript (/etc/init.d/libvirt-bin)
This is a POSIX shell fragment
Start libvirtd to handle qemu/kvm:
start_libvirtd="yes"

options passed to libvirtd, add "-l" to listen on tcp
libvirtd_opts="-d -l"

pass in location of kerberos keytab
#export KRB5_KTNAME=/etc/libvirt/libvirt.keytab

重启libvirt-bin

root@popsuper1982:/home/cliu8# netstat -na | grep 16509 tcp 0 0 0.0.0.0:16509 0.0.0.0:* LISTEN
tcp6 0 0 :::16509 :::* LISTEN
root@popsuper1982:/home/cliu8# netstat -na | grep 16514 tcp 0 0 0.0.0.0:16514 0.0.0.0:* LISTEN
tcp6 0 0 :::16514 :::* LISTEN

注意对sasl的配置

cat /etc/sasl2/libvirt.conf

# If you want to use the non-TLS socket, then you *must* include
# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only
# ones that can offer session encryption as well as authentication.
#
# If you're only using TLS, then you can turn on any mechanisms
# you like for authentication, because TLS provides the encryption
#
# Default to a simple username+password mechanism
mech_list: digest-md5

# Before you can use GSSAPI, you need a service principle on the
# KDC server for libvirt, and that to be exported to the keytab
# file listed below
#mech_list: gssapi
#
# You can also list many mechanisms at once, then the user can choose
# by adding  '?auth=sasl.gssapi' to their libvirt URI, eg
#   qemu+tcp://hostname/system?auth=sasl.gssapi
#mech_list: digest-md5 gssapi

# Some older builds of MIT kerberos on Linux ignore this option &
# instead need KRB5_KTNAME env var.
# For modern Linux, and other OS, this should be sufficient
#
# There is no default value here, uncomment if you need this
#keytab: /etc/libvirt/krb5.tab

# If using digest-md5 for username/passwds, then this is the file
# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
sasldb_path: /etc/libvirt/passwd.db
添加用户

saslpasswd2 -a libvirt test1
注意这里必须是libvirt,这是application的名字,只有输入libvirt,才会使用配置/etc/sasl2/libvirt.conf,结果才会写到/etc/libvirt/passwd.db

下面的命令才有正确的输出

sasldblistusers2 -f /etc/libvirt/passwd.db
test1@popsuper1982: userPassword
这个时候从远程登录tcp

$ virsh -c qemu+tcp://16.158.166.150/system list --all
Please enter your authentication name: test1@popsuper1982
Please enter your password: 
Id    Name                           State
----------------------------------------------------
-     ubuntu-14.04                   shut off
如果远程连接tls,则需要配置/etc/pki/CA/cacert.pem

在client机器上escto-bj-hp-z620

tree --charset ASCII /etc/pki/
/etc/pki/
|-- CA
|   `-- cacert.pem
|-- libvirt
|   |-- clientcert.pem
|   `-- private
|       `-- clientkey.pem
`-- nssdb -> /var/lib/nssdb
在server机器上popsuper1982

# tree --charset ASCII /etc/pki/
/etc/pki/
|-- CA
|   `-- cacert.pem
|-- libvirt
|   |-- private
|   |   `-- serverkey.pem
|   `-- servercert.pem
`-- nssdb -> /var/lib/nssdb
# virsh -c qemu+tls://popsuper1982/system list --all
Please enter your authentication name: test1@popsuper1982
Please enter your password: 
Id    Name                           State
----------------------------------------------------
-     ubuntu-14.04                   shut off
需要用hostname才能通过认证
文档更新时间: 2020-05-03 11:33   作者:月影鹏鹏